Bug #76538 Segmentation failure when running mysqladmin -u root -p
Submitted: 31 Mar 2015 5:56 Modified: 8 Jul 2015 23:08
Reporter: Honza Horak (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.23, 5.5.42 OS:Any
Assigned to: CPU Architecture:Any

[31 Mar 2015 5:56] Honza Horak
Description:
Even though the original issue reported as https://bugzilla.redhat.com/show_bug.cgi?id=1207041 was seen on s390x, I was able to reproduce with x86_64 as well.

The report bellow is for MariaDB, but MySQL crashes the same in 5.6.23 and 5.5.42.

"mysqladmin" crash on execution of below command:

 # mysqladmin -u root -p

 mysqladmin  Ver 9.0 Distrib 5.5.41-MariaDB, for Linux on s390x
 Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.

 Administration program for the mysqld daemon.
 Usage: mysqladmin [OPTIONS] command command....

 Default options are read from the following files in the given order:
 Segmentation fault (core dumped)

This error occurs only when no options is sent with the mysqladmin command.
If I downgrade mariadb packages to version 5.5.37-1.el7, not getting core dump.

Version-Release number of selected component (if applicable):
mariadb-5.5.41-2.el7_0

How reproducible:
Always

Steps to Reproduce:
1. Install mariadb version 5.5.41-2.el7 packages on system and execute below command:

   # mysqladmin -u root -p

Backtrace from the coredump generated on local test system:

Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `mysqladmin -u root -p'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f4cb75224bd in malloc_consolidate (av=av@entry=0x7f4cb7860760 <main_arena>) at malloc.c:4129
4129		      unlink(av, nextchunk, bck, fwd);
(gdb) bt
#0  0x00007f4cb75224bd in malloc_consolidate (av=av@entry=0x7f4cb7860760 <main_arena>) at malloc.c:4129
#1  0x00007f4cb75230e7 in _int_free (av=0x7f4cb7860760 <main_arena>, p=0x7f4cba6ce8b0, have_lock=0) at malloc.c:4021
#2  0x00007f4cb8d5da48 in free_root (root=root@entry=0x7fff66a257c0, MyFlags=MyFlags@entry=0) at /usr/src/debug/mariadb-5.5.41/mysys/my_alloc.c:372
#3  0x00007f4cb8d682bd in my_print_default_files (conf_file=0x7f4cb8d7ff84 "my") at /usr/src/debug/mariadb-5.5.41/mysys/default.c:1075
#4  0x00007f4cb8d68348 in print_defaults (conf_file=<optimized out>, groups=0x7f4cb91f85e0 <load_default_groups>)
    at /usr/src/debug/mariadb-5.5.41/mysys/default.c:1083
#5  0x00007f4cb8d37cf7 in usage () at /usr/src/debug/mariadb-5.5.41/client/mysqladmin.cc:1235
#6  0x00007f4cb8d37ad6 in main (argc=0, argv=0x7f4cba6ce7a0) at /usr/src/debug/mariadb-5.5.41/client/mysqladmin.cc:330
(gdb)

How to repeat:
mysqladmin -u root -p

Suggested fix:
diff -up mariadb-5.5.41/client/mysqladmin.cc.bz1207041 mariadb-5.5.41/client/mysqladmin.cc
--- mariadb-5.5.41/client/mysqladmin.cc.bz1207041	2015-03-30 12:37:31.078880914 +0200
+++ mariadb-5.5.41/client/mysqladmin.cc	2015-03-30 13:03:32.442152833 +0200
@@ -1215,7 +1215,8 @@ static char **mask_password(int argc, ch
      }
     argc--;
   }
-  temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
+  if (argc >= 0)
+    temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
   return(temp_argv);
 }
[31 Mar 2015 5:57] Honza Horak
the same issue reported to mariadb:
https://mariadb.atlassian.net/browse/MDEV-7883
[31 Mar 2015 6:05] Shane Bester
Thanks for the report!
Affects 5.5, 5.6.
Does not affect 5.1, 5.7, 5.8.

==29760== Invalid write of size 8
==29760==    at 0x409E4E: main (mysqladmin.cc:1221)
==29760==  Address 0x5138d38 is 8 bytes before a block of size 1 alloc'd
==29760==    at 0x4A078E4: malloc (vg_replace_malloc.c:291)
==29760==    by 0x43549A: my_malloc (my_malloc.c:38)
==29760==    by 0x409D40: main (mysqladmin.cc:1204)
==29760==
./bin/mysqladmin  Ver 8.42 Distrib 5.6.25, for Linux on x86_64
[8 Jul 2015 23:08] Paul Dubois
Noted in 5.5.46, 5.6.27, 5.7.9, 5.8.0 changelogs.

mysqladmin -u root -p could exit with a segmentation fault.